Protect your ML Kit Android app's Cloud credentials

If your Android app uses one of ML Kit's cloud APIs, before you launch your
app in production, you should take some additional steps to prevent
unauthorized API access.

For your production apps, you will ensure that only authenticated clients can
access cloud services. (Note that only non-rooted devices can authenticate using
the method described.)

Then, you will create a debug-only API key that you can use for convenience
during testing and development.

1. Register your production apps with Firebase

First, register your production apps with Firebase.

The fastest way to do this is to link your Firebase Project with your Google
Play project. You can do so from the
Integrations section
of your project settings in the Firebase console.

When you link your projects, your production apps' SHA-1 signatures are imported
into your Firebase project, which you can confirm on the
Settings page. Note that
linking your Firebase and Google Play projects also makes other Google Play
data, including crash and revenue statistics, accessible to Firebase, and
Firebase data, including analytics, accessible to Google Play.

Alternatively, if you don't want to share data between your Firebase and Google
Play projects, you can specify your apps' SHA-1 signatures yourself on the
Settings page. See
Authenticating your client
to learn how to get your apps' SHA-1 signatures.

2. Restrict the scope of your API keys

For each API key in the list, open the editing view, and in the Key
Restrictions section, add all of the available APIs except the Cloud Vision
API to the list.

3. Create and use a debug-only API key

Finally, create a new API key to be used only for development. ML Kit can
use this API key to access Cloud services in environments where app
authentication isn't possible, such as when running on emulators.